The True Cyber Risks for Executives

Most organizations treat cybersecurity as an IT problem. It gets a budget, and a team, and leadership assumes it's handled. But the data tells a different story. Attackers don't typically get in through technical back doors. There are three common ways.

These attack vectors account for the vast majority of breaches, and knowing what they are matters more than anything you've read in the headlines.

The First Vector: Phishing Dominates Because It Works

Phishing — the practice of deceiving someone into handing over credentials, clicking a malicious link, or approving a fraudulent action — remains the primary method attackers use to get inside organizations.

Comcast's cybersecurity research puts the figure at 80 to 95 percent of all human-associated breaches. IBM's 2024 Cost of a Data Breach Report confirms phishing accounts for close to 30 percent of all global breaches. In 2024, over 38 million phishing attacks were detected worldwide.

The reason it persists is that it doesn't require any technical sophistication to defeat technical defenses. It requires only that one person, under pressure or in a moment of distraction, acts on a message that appears legitimate.

"52 percent of people who clicked on a phishing link did so because they thought it came from a senior executive in the company."

— Tessian Research

AI is accelerating the problem. AI-generated CEO impersonations alone exceeded $200 million in losses in the first quarter of 2025. A UK engineering firm lost $25 million to criminals who impersonated company executives in a deepfake video call — an attack that bypassed every technical control, because the attack vector was human judgment, not software.

The Second Vector: Internet-Facing Vulnerabilities

The second major attack category operates largely below executive awareness: the exploitation of known vulnerabilities in software and systems that face the internet.

The detail most executives don't know is that most of these attacks don't use novel, undiscovered vulnerabilities. They use ones for which patches have already been released and which organizations have simply not applied. The gap between "patch released" and "systems updated" is where a significant share of major breaches occur.

"Most organizations are breached through vulnerabilities they already knew about."

— Verizon Data Breach Investigations Report 2025

These delays rarely happen out of carelessness. They happen because updating and testing systems takes time and can cause disruptions. When nothing has visibly gone wrong, security tends to drop down the list.

The Third Vector: Valid Account Passwords

The third major attack category is in many ways the most disarming: attackers who don't break in at all, they log in.

Once an attacker has a valid username and password, most of an organization's defenses become irrelevant. They have no mechanism to distinguish a legitimate employee from an attacker using that employee's credentials. From the system's perspective, the login is completely normal.

"A surge in stolen usernames and passwords sits behind 68% of all confirmed breaches."

— Verizon Data Breach Investigations Report 2025

This persists because of how people naturally use passwords. Reusing the same ones across work and personal accounts, sharing them with colleagues, or having them quietly stolen by software running undetected in the background. The fix is well understood: require more than just a password to log in.

What the Impacts Have Actually Looked Like

The consequences of successful attacks in 2025 and 2026 have gone well beyond data loss.

A cyberattack on Jaguar Land Rover in September 2025 stalled production for months, required a £1.5 billion UK government bailout to keep employees and suppliers paid, and sent some suppliers out of business entirely. Security experts called it the most economically damaging cyberattack to hit the United Kingdom in history.

In March 2026, Stryker one of the world's largest medical technology companies, with $25.1 billion in revenue and products touching more than 150 million patients annually had a single compromised admin account turned into a kill switch. Attackers used it to remotely wipe around 200,000 devices across the organization. The real-world consequences were immediate: paramedics in Maryland lost access to Stryker's cardiac data transmission system, forcing them to fall back to radio consultations. Employees across Stryker's 5,500-person hub in Ireland were sent home.

What This Means for You as a Leader

Most successful attacks share two root causes: people being deceived, and systems left exposed. Closing those gaps is not a budget problem, it's a focus problem.

Ask your teams for regular reporting on three things: how phishing exposure is being managed, how authentication is managed and how quickly systems are being patched and tested. You don't need to interpret the technical detail. You just need to know that someone owns it, that it's being measured, and that the numbers are moving in the right direction.

Data sources: IBM Cost of a Data Breach Report 2024; Verizon Data Breach Investigations Report 2025; World Economic Forum Global Cybersecurity Outlook 2025; FBI Internet Crime Complaint Center 2024; APWG Phishing Activity Trends Report; Comcast Business Cybersecurity Threat Report; IBM X-Force Threat Intelligence Index 2025; Accenture Security Research; PT Security; Tessian Research; TechCrunch; Infosecurity Magazine.

The views expressed are my own. This post was written with the assistance of AI.